Restricted Wi-Fi Access Between Public and Private SSIDs

ABSTRACT

Novel tools and techniques are provided for implementing network access configurations, and, more particularly, for implementing restricted Wi-Fi access configuration between public and private service set identifiers (“SSIDs”). In some embodiments, a user might request public network access using a user device. A network device, which is in communication with the user device might receive the request for public network access from the user device. The network device might determine whether the user device is associated with a first identifier that is associated with a user having network private access to the network through the network device. If not, the network device might provide the user device with network public access to the network(s), via a network public access path. If so, the network device might prevent the user device from having network public access to the network(s).

CROSS-REFERENCES TO RELATED APPLICATIONS

This application claims priority to U.S. Patent Application Ser. No.62/343,599 (the “'599 Application”), filed May 31, 2016 by Robert J.Morrill et al. (attorney docket no. 020370-028501US), entitled,“Restricted Wi-Fi Access Between Public and Private SSIDs,” thedisclosure of which is incorporated herein by reference in its entiretyfor all purposes.

COPYRIGHT STATEMENT

A portion of the disclosure of this patent document contains materialthat is subject to copyright protection. The copyright owner has noobjection to the facsimile reproduction by anyone of the patent documentor the patent disclosure as it appears in the Patent and TrademarkOffice patent file or records, but otherwise reserves all copyrightrights whatsoever.

FIELD

The present disclosure relates, in general, to methods, systems, andapparatuses for implementing network access configurations, and, moreparticularly, to methods, systems, and apparatuses for implementingrestricted Wi-Fi access configuration between public and private serviceset identifiers (“SSIDs”).

BACKGROUND

Currently, the industry is moving towards a multi-service set identifier(“SSID”) Wi-Fi solution in which a broadband subscriber's modem orgateway device, which has a first SSID that allows private networkaccess, is augmented with a second SSID that allows controlled or publicnetwork access. Such a solution, however, may be susceptible tosubscribers' attempts to boost their total subscribed bandwidth usage(via the private network access), by trying to additionally access thenetwork via the public network access.

Hence, there is a need for more robust and scalable solutions forimplementing network access configurations, and, more particularly, tomethods, systems, and apparatuses for implementing restricted Wi-Fiaccess configuration between public and private SSIDs.

BRIEF DESCRIPTION OF THE DRAWINGS

A further understanding of the nature and advantages of particularembodiments may be realized by reference to the remaining portions ofthe specification and the drawings, in which like reference numerals areused to refer to similar components. In some instances, a sub-label isassociated with a reference numeral to denote one of multiple similarcomponents. When reference is made to a reference numeral withoutspecification to an existing sub-label, it is intended to refer to allsuch multiple similar components.

FIGS. 1A and 1B are schematic diagrams illustrating various systems forimplementing restricted Wi-Fi access configuration between public andprivate SSIDs, in accordance with various embodiments.

FIG. 2 is a simplified schematic diagram illustrating a system forimplementing restricted Wi-Fi access configuration between public andprivate SSIDs, in accordance with various embodiments.

FIGS. 3A and 3B are flow diagrams illustrating a method for implementingrestricted Wi-Fi access configuration between public and private SSIDs,in accordance with various embodiments.

FIG. 4 is a block diagram illustrating an exemplary computer or systemhardware architecture, in accordance with various embodiments.

FIG. 5 is a block diagram illustrating a networked system of computers,computing systems, or system hardware architecture, which can be used inaccordance with various embodiments.

DETAILED DESCRIPTION OF CERTAIN EMBODIMENTS

Overview

Various embodiments provide tools and techniques for implementingnetwork access configurations, and, more particularly, to methods,systems, and apparatuses for implementing restricted Wi-Fi accessconfiguration between public and private service set identifiers(“SSIDs”).

In various embodiments, a user might request public network access usinga user device. A network device, which is in communication with the userdevice might receive the request for public network access from the userdevice. The network device might determine whether the user device isassociated with a first identifier that is associated with a user havingnetwork private access to the network through the network device. Ifnot, the network device might provide the user device with networkpublic access to the network(s), via a network public access path. Ifso, the network device might prevent the user device from having networkpublic access to the network(s).

In this manner, a user is prevented from supplementing his or hersubscribed private access bandwidth with additional bandwidth from thecommunity Wi-Fi or other public (or controlled) public access.

The following detailed description illustrates a few exemplaryembodiments in further detail to enable one of skill in the art topractice such embodiments. The described examples are provided forillustrative purposes and are not intended to limit the scope of theinvention.

In the following description, for the purposes of explanation, numerousspecific details are set forth in order to provide a thoroughunderstanding of the described embodiments. It will be apparent to oneskilled in the art, however, that other embodiments of the presentinvention may be practiced without some of these specific details. Inother instances, certain structures and devices are shown in blockdiagram form. Several embodiments are described herein, and whilevarious features are ascribed to different embodiments, it should beappreciated that the features described with respect to one embodimentmay be incorporated with other embodiments as well. By the same token,however, no single feature or features of any described embodimentshould be considered essential to every embodiment of the invention, asother embodiments of the invention may omit such features.

Unless otherwise indicated, all numbers used herein to expressquantities, dimensions, and so forth used should be understood as beingmodified in all instances by the term “about.” In this application, theuse of the singular includes the plural unless specifically statedotherwise, and use of the terms “and” and “or” means “and/or” unlessotherwise indicated. Moreover, the use of the term “including,” as wellas other forms, such as “includes” and “included,” should be considerednon-exclusive. Also, terms such as “element” or “component” encompassboth elements and components comprising one unit and elements andcomponents that comprise more than one unit, unless specifically statedotherwise.

Various embodiments described herein, while embodying (in some cases)software products, computer-performed methods, and/or computer systems,represent tangible, concrete improvements to existing technologicalareas, including, without limitation, network utilization technology,network access technology, network limited portal technology, and/or thelike. In other aspects, certain embodiments, can improve the functioningof user equipment or systems themselves (e.g., network devices, networknodes, modems, network interface devices, gateway devices, networkswitches, network routers, etc.), for example, by, in response toreceiving a request for network public access to a network through anetwork device from a user device, determining, with the network device,whether the user device is associated with a first identifier that isassociated with a user having network private access to the networkthrough the network device, and, based on a determination that the userdevice is associated with a first identifier that is associated with auser having network private access to the network through the networkdevice, preventing, with the network device, the user device from havingnetwork public access to the network, and/or the like. In particular, tothe extent any abstract concepts are present in the various embodiments,those concepts can be implemented as described herein by devices,software, systems, and methods that involve specific novel functionality(e.g., steps or operations), such as in response to receiving a requestfor network public access to a network through a network device from auser device, determining, with the network device, whether the userdevice is associated with a first identifier that is associated with auser having network private access to the network through the networkdevice, and, based on a determination that the user device is associatedwith a first identifier that is associated with a user having networkprivate access to the network through the network device, preventing,with the network device, the user device from having network publicaccess to the network, and/or the like, to name a few examples, thatextend beyond mere conventional computer processing operations. Thesefunctionalities can produce tangible results outside of the implementingcomputer system, including, merely by way of example, policing of (orcontrolling) network usage to the subscribed and paid-for amount, and/orthe like, at least some of which may be observed or measured bycustomers and/or service providers.

In an aspect, a method might comprise receiving, with a network deviceand from a user device, a request for network public access to a networkthrough the network device; and determining, with the network device,whether the user device is associated with a first identifier that isassociated with a user having network private access to the networkthrough the network device. The method might further comprise, based ona determination that the user device is associated with a firstidentifier that is associated with a user having network private accessto the network through the network device, preventing, with the networkdevice, the user device from having network public access to thenetwork.

In some embodiments, the first identifier might comprise a media accesscontrol (“MAC”) address. Alternatively, or additionally, the firstidentifier might comprise a service set identifier (“SSID”). In someinstances, the network device might comprise at least one of a modem, agateway device, a network switch, or a network router, and/or the like.

According to some embodiments, the user device has a second identifier,and determining whether the user device is associated with the firstidentifier that is associated with a user having network private accessto the network through the network device might comprise: accessing,with the network device, a database containing a list of identifiers;and comparing, with the network device, the second identifier with thefirst identifier. In some cases, preventing the user device from havingnetwork public access to the network might comprise preventing, with thenetwork device, the user device from having network public access to thenetwork, based on a determination that the second identifier matches thefirst identifier. Alternatively, preventing the user device from havingnetwork public access to the network might comprise preventing, with thenetwork device, the user device from having network public access to thenetwork, based on a determination that a user associated with the secondidentifier matches a user associated with the first identifier.

Merely by way of example, in some instances, the method might furthercomprise, further in response to receiving the request and further basedon the determination that the user device is associated with the firstidentifier, providing, with the network device and to a user interfaceof the user device, options for the user to purchase additionalbandwidth.

In some embodiments, the method might further comprise receiving, withthe network device and from a second user device, a request for networkprivate access to the network through the network device, the requestfor network private access comprising authentication information foraccessing the network using network private access; and authenticating,with the network device, the second user device by authenticating theauthentication information provided in the request for network privateaccess, wherein the second user device has a third identifier. Themethod might additionally comprise, in response to the second userdevice being authenticated, determining, with the network device,whether the third identifier has previously been associated with theuser having network private access to the network through the networkdevice; and based on a determination that the third identifier has notpreviously been associated with the user having network private accessto the network through the network device, adding, with the networkdevice, the third identifier to a list in a database indicating thethird identifier as being associated with the user having networkprivate access to the network through the network device.

In another aspect, a network device might comprise at least oneprocessor and a non-transitory computer readable medium communicativelycoupled to the at least one processor. The non-transitory computerreadable medium might have stored thereon computer software comprising aset of instructions that, when executed by the at least one processor,causes the network device to: receive, from a user device, a request fornetwork public access to a network through the network device; determinewhether the user device is associated with a first identifier that isassociated with a user having network private access to the networkthrough the network device; and based on a determination that the userdevice is associated with a first identifier that is associated with auser having network private access to the network through the networkdevice, prevent the user device from having network public access to thenetwork.

In some embodiments, the first identifier might comprise a media accesscontrol (“MAC”) address. Alternatively, or additionally, the firstidentifier might comprise a service set identifier (“SSID”). In someinstances, the network device might comprise at least one of a modem, agateway device, a network switch, or a network router, and/or the like.

According to some embodiments, the user device has a second identifier,and determining whether the user device is associated with the firstidentifier that is associated with a user having network private accessto the network through the network device might comprise: accessing adatabase containing a list of identifiers; and comparing the secondidentifier with the first identifier. In some cases, preventing the userdevice from having network public access to the network might comprisepreventing the user device from having network public access to thenetwork, based on a determination that the second identifier matches thefirst identifier. Alternatively, preventing the user device from havingnetwork public access to the network might comprise preventing the userdevice from having network public access to the network, based on adetermination that a user associated with the second identifier matchesa user associated with the first identifier.

Merely by way of example, in some instances, the set of instructions,when executed by the at least one processor, further causes the networkdevice to provide, to a user interface of the user device, options forthe user to purchase additional bandwidth, further in response toreceiving the request and further based on the determination that theuser device is associated with the first identifier.

In some embodiments, the set of instructions, when executed by the atleast one processor, further causes the network device to: receive, froma second user device, a request for network private access to thenetwork through the network device, the request for network privateaccess comprising authentication information for accessing the networkusing network private access; authenticate the second user device byauthenticating the authentication information provided in the requestfor network private access, wherein the second user device has a thirdidentifier; in response to the second user device being authenticated,determine whether the third identifier has previously been associatedwith the user having network private access to the network through thenetwork device; and based on a determination that the third identifierhas not previously been associated with the user having network privateaccess to the network through the network device, add the thirdidentifier to a list in a database indicating the third identifier asbeing associated with the user having network private access to thenetwork through the network device.

In yet another aspect, a system might comprise a network device, whichmight comprise at least one processor and a non-transitory computerreadable medium communicatively coupled to the at least one processor.The non-transitory computer readable medium might have stored thereoncomputer software comprising a set of instructions that, when executedby the at least one processor, causes the network device to: receive,from a user device, a request for network public access to a networkthrough the network device; determine whether the user device isassociated with a first identifier that is associated with a user havingnetwork private access to the network through the network device; andbased on a determination that the user device is associated with a firstidentifier that is associated with a user having network private accessto the network through the network device, prevent the user device fromhaving network public access to the network.

In some embodiments, the first identifier might comprise a media accesscontrol (“MAC”) address. Alternatively, or additionally, the firstidentifier might comprise a service set identifier (“SSID”). In someinstances, the network device might comprise at least one of a modem, agateway device, a network switch, or a network router, and/or the like.

According to some embodiments, the user device has a second identifier,and determining whether the user device is associated with the firstidentifier that is associated with a user having network private accessto the network through the network device might comprise: accessing adatabase containing a list of identifiers; and comparing the secondidentifier with the first identifier. In some cases, preventing the userdevice from having network public access to the network comprisespreventing the user device from having network public access to thenetwork, based on a determination that the second identifier matches thefirst identifier. Alternatively, preventing the user device from havingnetwork public access to the network might comprise preventing the userdevice from having network public access to the network, based on adetermination that a user associated with the second identifier matchesa user associated with the first identifier.

Merely by way of example, in some instances, the set of instructions,when executed by the at least one processor, further causes the networkdevice to provide, to a user interface of the user device, options forthe user to purchase additional bandwidth, further in response toreceiving the request and further based on the determination that theuser device is associated with the first identifier.

In some embodiments, the set of instructions, when executed by the atleast one processor, further causes the network device to: receive, froma second user device, a request for network private access to thenetwork through the network device, the request for network privateaccess comprising authentication information for accessing the networkusing network private access; authenticate the second user device byauthenticating the authentication information provided in the requestfor network private access, wherein the second user device has a thirdidentifier; in response to the second user device being authenticated,determine whether the third identifier has previously been associatedwith the user having network private access to the network through thenetwork device; and based on a determination that the third identifierhas not previously been associated with the user having network privateaccess to the network through the network device, add the thirdidentifier to a list in a database indicating the third identifier asbeing associated with the user having network private access to thenetwork through the network device.

Various modifications and additions can be made to the embodimentsdiscussed without departing from the scope of the invention. Forexample, while the embodiments described above refer to particularfeatures, the scope of this invention also includes embodiments havingdifferent combination of features and embodiments that do not includeall of the above described features.

Specific Exemplary Embodiments

We now turn to the embodiments as illustrated by the drawings. FIGS. 1-5illustrate some of the features of the method, system, and apparatus forimplementing network access configurations, and, more particularly, tomethods, systems, and apparatuses for implementing restricted Wi-Fiaccess configuration between public and private service set identifiers(“SSIDs”), as referred to above. The methods, systems, and apparatusesillustrated by FIGS. 1-5 refer to examples of different embodiments thatinclude various components and steps, which can be consideredalternatives or which can be used in conjunction with one another in thevarious embodiments. The description of the illustrated methods,systems, and apparatuses shown in FIGS. 1-5 is provided for purposes ofillustration and should not be considered to limit the scope of thedifferent embodiments.

With reference to the figures, FIGS. 1A and 1B (collectively, “FIG. 1”)are schematic diagrams illustrating various systems 100 and 100′ forimplementing restricted Wi-Fi access configuration between public andprivate SSIDs, in accordance with various embodiments.

In the non-limiting example of FIG. 1A, system 100 might comprisenetwork device 105 a, one or more user devices 110 a-110 n(collectively, “user devices 110”), one or more user devices 120 a-120 n(collectively, “user devices 120”), and database(s) 125 a. The networkdevice 105 a, the user devices 110, and the database(s) 125 a might bedisposed within customer premises 115 (which might be associated with auser associated with at least one user device of user devices 110),while the user devices 120 might be disposed external to customerpremises 115. The customer premises 115 might be one of a single familyhouse, a multi-dwelling unit (“MDU”) within a multi-dwelling complex(including, but not limited to, an apartment building, an apartmentcomplex, a condominium complex, a townhouse complex, a mixed-usebuilding, etc.), a motel, an inn, a hotel, an office building orcomplex, a commercial building or complex, an industrial building orcomplex, and/or the like. According to some embodiments, the networkdevice might include, without limitation, at least one of a modem, agateway device, a network switch, or a network router, and/or the like.

System 100 might further comprise access network(s) 130, one or moretelecommunications relay systems 135, and network(s) 140, and/or thelike. The one or more telecommunications relay systems 135 mightinclude, but are not limited to, one or more wireless network interfaces(e.g., wireless modems, wireless access points, and the like), one ormore towers, one or more satellites, and/or the like). In FIG. 1, unlessotherwise indicated, the solid lines denote wired communication, whilethe lightning bolt symbols denote wireless communication, and the dashedlines or dash-long dashed lines denote either wired or wirelesscommunication.

In operation, a user might request public network access using a userdevice (e.g., one of the one or more user devices 110 a-110 n or one ofthe one or more user devices 120 a-120 n, or the like), e.g., byselecting a public access network (including, but not limited to, acommunity Wi-Fi network, or the like) from a list of available networks,or the like. The network device 105 a, which is in communication withthe user device—via wired communication (as denoted by solid linestherebetween) or wireless communication (as denoted by the lightningbolt symbols)—, might receive, from the user device, the request forpublic network access to the network(s) 140. The network device 105 amight determine whether the user device is associated with a firstidentifier that is associated with a user having network private accessto the network(s) 140 through the network device (here, the requestinguser might either be the same person as the user having network privateaccess, or a different user). If not, the network device 105 a mightprovide the user device with network public access, via network publicaccess path 150 to network(s) 140 (as depicted by the dash-lined path150 in FIG. 1A, from the network device 105 a to the network(s) 140 viathe access network(s) 130 and the one or more telecommunications relaysystems 135). If the user device is associated with a first identifierthat is associated with a user having network private access to thenetwork(s) 140, however, the network device 105 a might prevent the userdevice from having network public access to the network(s) 140, e.g., bydisconnecting, blocking, or preventing connection with the connectionpath between the user device and the network public access path 150. Insome aspects, providing or preventing network access might beaccomplished using a walled garden approach, a limited portal approach,and/or the like. The network device 105 a, in some cases, mightadditionally provide, to a user interface of the user device, optionsfor the user to purchase additional bandwidth, or to provide, to theuser interface, at least a message or notification indicating thatnetwork public access is denied due to the user already having networkprivate access, or the like.

In some embodiments, the user device might have a second identifier, anddetermining whether the user device is associated with the firstidentifier that is associated with a user having network private accessto the network through the network device might comprise accessing, withthe network device 105 a, the database(s) 125 a containing a list ofidentifiers; and comparing, with the network device, the secondidentifier with the first identifier. Merely by way of example, in somecases, alternative or additional to comparing the second identifier withthe first identifier, the network device might compare the user(s)associated with the second identifier with the user(s) associated withthe first identifier. In some instances, each of the first identifier orthe second identifier might include without limitation, at least one ofa media access control (“MAC”) address, a service set identifier(“SSID”), and/or the like, and the list of identifiers might include,but is not limited to, a table of public MAC identifiers, a table ofprivate or non-public MAC identifiers, a combined table of public andnon-public MAC identifiers, a table of public SSIDs, a table of privateor non-public SSIDs, a combined table of public and non-public SSIDs,and/or the like. The various tables in the database(s) 125 a, which insome cases might be disposed within the network device 105 a, might beretained despite rebooting of the network device 105 a.

According to some embodiments, a user might request private networkaccess using user device. The network device 105 a, which is incommunication with the user device—via wired communication or wirelesscommunication —, might receive, from the user device, the request forprivate network access to the network(s) 140. The network device 105 amight determine whether the user device is associated with a firstidentifier that is associated with a user having network private accessto the network(s) 140 through the network device. If so, the networkdevice 105 a might provide the user device with network private access,via network public access path 145, to network(s) 140. If not, inaddition to providing the user device with network private access vianetwork public access path 145, the network device 105 a might add theidentifier of the user device to the list of identifiers stored in thedatabase(s) 125 a. In this manner, the network device 105 a (and/or thesystem 100) might dynamically learn private MAC identifiers, SSID,and/or other identifiers of user devices that have successfully gainednetwork private access to the network(s) 140. In a similar manner, thenetwork device 105 a (and/or the system 100) might similarly track userdevices that have failed (and the frequency or number of failedattempts) to gain network private access to the network(s) 140.

Turning to FIG. 1B, system 100′ might comprise network device 105 b, oneor more user devices 110 a-110 n (collectively, “user devices 110”), oneor more user devices 120 a-120 n (collectively, “user devices 120”),database(s) 125 b, and network interface device (“NID”) 155. The userdevices 110, and the NID 155 might be disposed at or within customerpremises 115 (which might be associated with a user associated with atleast one user device of user devices 110), while the user devices 120might be disposed external to customer premises 115. As above, thecustomer premises 115 might be one of a single family house, amulti-dwelling unit (“MDU”) within a multi-dwelling complex (including,but not limited to, an apartment building, an apartment complex, acondominium complex, a townhouse complex, a mixed-use building, etc.), amotel, an inn, a hotel, an office building or complex, a commercialbuilding or complex, an industrial building or complex, and/or the like.According to some embodiments, the network device might include, withoutlimitation, at least one of a modem, a gateway device, a network switch,or a network router, and/or the like.

System 100′ might further comprise access network(s) 130, one or moretelecommunications relay systems 135, and network(s) 140, and/or thelike. The one or more telecommunications relay systems 135 mightinclude, but are not limited to, one or more wireless network interfaces(e.g., wireless modems, wireless access points, and the like), one ormore towers, one or more satellites, and/or the like). In FIG. 1, unlessotherwise indicated, the solid lines denote wired communication, whilethe lightning bolt symbols denote wireless communication, and the dashedlines or dash-long dashed lines denote either wired or wirelesscommunication. The network device 105 b and the database(s) 125 b mightbe disposed within access network(s) 130.

In operation, a user might request public network access using a userdevice (e.g., one of the one or more user devices 110 a-110 n or one ofthe one or more user devices 120 a-120 n, or the like), e.g., byselecting a public access network (including, but not limited to, acommunity Wi-Fi network, or the like) from a list of available networks,or the like. The network device 105 b, which is in communication withthe user device—via wired communication (as denoted by solid linestherebetween) and/or wireless communication (as denoted by the lightningbolt symbols) and via NID 155, the access network(s) 130, and the one ormore telecommunications relay systems 135 —, might receive, from theuser device, the request for public network access to the network(s)140. The network device 105 b might determine whether the user device isassociated with a first identifier that is associated with a user havingnetwork private access to the network(s) 140 through the network device(here, the requesting user might either be the same person as the userhaving network private access, or a different user). If not, the networkdevice 105 b might provide the user device with network public access,via network public access path 150 to network(s) 140 (as depicted by thedash-lined path 150 in FIG. 1A, from the network device 105 b to thenetwork(s) 140). If the user device is associated with a firstidentifier that is associated with a user having network private accessto the network(s) 140, however, the network device 105 b might preventthe user device from having network public access to the network(s) 140,e.g., by disconnecting, blocking, or preventing connection with theconnection path between the user device and the network public accesspath 150. In some aspects, providing or preventing network access mightbe accomplished using a walled garden approach, a limited portalapproach, and/or the like. The network device 105 b, in some cases,might additionally provide, to a user interface of the user device,options for the user to purchase additional bandwidth, or to provide, tothe user interface, at least a message or notification indicating thatnetwork public access is denied due to the user already having networkprivate access, or the like.

In some embodiments, the user device might have a second identifier, anddetermining whether the user device is associated with the firstidentifier that is associated with a user having network private accessto the network through the network device might comprise accessing, withthe network device 105 b, the database(s) 125 b containing a list ofidentifiers; and comparing, with the network device, the secondidentifier with the first identifier. Merely by way of example, in somecases, alternative or additional to comparing the second identifier withthe first identifier, the network device might compare the user(s)associated with the second identifier with the user(s) associated withthe first identifier. In some instances, each of the first identifier orthe second identifier might include without limitation, at least one ofa media access control (“MAC”) address, a service set identifier(“SSID”), and/or the like, and the list of identifiers might include,but is not limited to, a table of public MAC identifiers, a table ofprivate or non-public MAC identifiers, a combined table of public andnon-public MAC identifiers, a table of public SSIDs, a table of privateor non-public SSIDs, a combined table of public and non-public SSIDs,and/or the like. The various tables in the database(s) 125 b, which insome cases might be disposed within the network device 105 b, might beretained despite rebooting of the network device 105 b.

According to some embodiments, a user might request private networkaccess using user device. The network device 105 b, which is incommunication with the user device—via wired communication and/orwireless communication and via NID 155, the access network(s) 130, andthe one or more telecommunications relay systems 135 —, might receive,from the user device, the request for private network access to thenetwork(s) 140. The network device 105 b might determine whether theuser device is associated with a first identifier that is associatedwith a user having network private access to the network(s) 140 throughthe network device. If so, the network device 105 b might provide theuser device with network private access, via network public access path145, to network(s) 140. If not, in addition to providing the user devicewith network private access via network public access path 145, thenetwork device 105 b might add the identifier of the user device to thelist of identifiers stored in the database(s) 125 b. In this manner, thenetwork device 105 b (and/or the system 100) might dynamically learnprivate MAC identifiers, SSID, and/or other identifiers of user devicesthat have successfully gained network private access to the network(s)140. In a similar manner, the network device 105 b (and/or the system100) might similarly track user devices that have failed (and thefrequency or number of failed attempts) to gain network private accessto the network(s) 140.

FIG. 2 is a simplified schematic diagram illustrating a system 200 forimplementing restricted Wi-Fi access configuration between public andprivate SSIDs, in accordance with various embodiments.

In the non-limiting example of FIG. 2, system 200 might comprise a userdevice 205 (which might correspond to at least one of user devices 110a-110 n and 120 a-120 n of FIGS. 1A and 1B, or the like), a networkdevice 210 (which might correspond to at least one of network devices105 a and 105 b of FIGS. 1A and 1B, or the like), a database(s) 215(which might comprise to at least one of database(s) 125 a and 125 b ofFIGS. 1A and 1B, or the like), and network(s) 220 (which mightcorrespond to at least one of networks 130 and 140 of FIGS. 1A and 1B,or the like). System 200 might further comprise network private accesspath 225 and network public access path 230.

In operation, a user might request public network access using userdevice 205. The network device 210, which is in communication with theuser device 205—via wired communication or wireless communication —,might receive, from the user device 205, the request for public networkaccess to the network(s) 220. The network device 210 might determinewhether the user device 205 is associated with a first identifier thatis associated with a user having network private access to thenetwork(s) 220 through the network device. If not, the network device210 might provide the user device 205 with network public access, vianetwork public access path 230 using network switch 210 a, to network(s)220. If so, the network device 525 might prevent the user device fromhaving network public access to the network(s) 510, e.g., bydisconnecting, blocking, or preventing connection with the connectionpath between the user device 205 and the network public access path 230,using network switch 210 a. In some aspects, providing or preventingnetwork access might be accomplished using a walled garden approach, alimited portal approach, and/or the like. The network device 210, insome cases, might additionally provide, to a user interface of the userdevice, options for the user to purchase additional bandwidth, or toprovide, to the user interface, at least a message or notificationindicating that network public access is denied due to the user alreadyhaving network private access, or the like.

In some embodiments, the user device 205 might have a second identifier,and determining whether the user device is associated with the firstidentifier that is associated with a user having network private accessto the network through the network device might comprise accessing, withthe network device 210, the database(s) 215 containing a list ofidentifiers; and comparing, with the network device, the secondidentifier with the first identifier. Merely by way of example, in somecases, alternative or additional to comparing the second identifier withthe first identifier, the network device might compare the user(s)associated with the second identifier with the user(s) associated withthe first identifier. In some instances, each of the first identifier orthe second identifier might include without limitation, at least one ofa media access control (“MAC”) address, a service set identifier(“SSID”), and/or the like, and the list of identifiers might include,but is not limited to, a table of public MAC identifiers, a table ofprivate or non-public MAC identifiers, a combined table of public andnon-public MAC identifiers, a table of public SSIDs, a table of privateor non-public SSIDs, a combined table of public and non-public SSIDs,and/or the like. The various tables in the database(s) 215, which insome cases might be disposed within the network device 210, might beretained despite rebooting of the network device 210.

According to some embodiments, a user might request private networkaccess using user device 205. The network device 210, which is incommunication with the user device 205—via wired communication orwireless communication —, might receive, from the user device 205, therequest for private network access to the network(s) 220. The networkdevice 210 might determine whether the user device 205 is associatedwith a first identifier that is associated with a user having networkprivate access to the network(s) 220 through the network device. If so,the network device 210 might provide the user device 205 with networkprivate access, via network public access path 225 using network switch210 a, to network(s) 220. If not, in addition to providing the userdevice 205 with network private access via network public access path225, the network device 210 might add the identifier of the user device205 to the list of identifiers stored in the database(s) 215. In thismanner, the network device 210 (and/or the system 200) might dynamicallylearn private MAC identifiers, SSID, and/or other identifiers of userdevices that have successfully gained network private access to thenetwork(s) 220. In a similar manner, the network device 210 (and/or thesystem 200) might similarly track user devices that have failed (and thefrequency or number of failed attempts) to gain network private accessto the network(s) 220.

The user device 205, the network device 210, the database(s) 215, thenetwork(s) 220, the network private access path 225, and the networkpublic access path 230 of system 200 might otherwise be similar, if notidentical to, the user devices 110 or 120, the network devices 105 a or105 b, the database(s) 125 a or 125 b, the network(s) 140, the networkprivate access path 145, and the network public access path 150 ofsystems 100 of FIG. 1A and 100′ of FIG. 1B, as described above.

FIGS. 3A and 3B are flow diagrams illustrating a method 300 forimplementing restricted Wi-Fi access configuration between public andprivate SSIDs, in accordance with various embodiments.

While the techniques and procedures are depicted and/or described in acertain order for purposes of illustration, it should be appreciatedthat certain procedures may be reordered and/or omitted within the scopeof various embodiments. Moreover, while the method 300 illustrated byFIG. 3 can be implemented by or with (and, in some cases, are describedbelow with respect to) the systems 100, 100′, and 200 of FIGS. 1A, 1B,and 2, respectively (or components thereof), such methods may also beimplemented using any suitable hardware (or software) implementation.Similarly, while each of the systems 100, 100′, and 200 of FIGS. 1A, 1B,and 2, respectively (or components thereof), can operate according tothe method 300 illustrated by FIG. 3 (e.g., by executing instructionsembodied on a computer readable medium), the systems 100, 100′, and 200of FIGS. 1A, 1B, and 2 can each also operate according to other modes ofoperation and/or perform other suitable procedures.

In the non-limiting embodiment of FIG. 3A, method 300, at block 305,receiving, with a network device (which might correspond to at least oneof network devices 105 a, 105 b, and 210 of FIGS. 1A, 1B, and 2, or thelike) and from a user device (which might correspond to at least one ofuser devices 110 a-110 n, 120 a-120 n, and 205 of FIGS. 1A, 1B, and 2,or the like), a request for network public access to a network (whichmight correspond to at least one of networks 130, 140, and 220 of FIGS.1 and 2, or the like) through the network device.

At block 310, method 300 might comprise determining, with the networkdevice, whether the user device is associated with a first identifierthat is associated with a user having network private access to thenetwork through the network device. In some embodiments, the firstidentifier might comprise a media access control (“MAC”) address.Alternatively, or additionally, the first identifier might comprise aservice set identifier (“SSID”). According to some embodiments, the userdevice has a second identifier, and determining whether the user deviceis associated with the first identifier that is associated with a userhaving network private access to the network through the network devicemight comprise accessing, with the network device, a database (whichmight comprise to at least one of database(s) 125 a, 125 b, and 215 ofFIGS. 1A, 1B, and 2, or the like) containing a list of identifiers; andcomparing, with the network device, the second identifier with the firstidentifier. Merely by way of example, in some aspects, rather thancomparing the second identifier with the first identifier, the networkdevice might compare the user(s) associated with the second identifierwith the user(s) associated with the first identifier.

Method 300 might further comprise, based on a determination (at block310) that the user device is associated with a first identifier that isassociated with a user having network private access to the networkthrough the network device, preventing, with the network device, theuser device from having network public access to the network (block315), in some cases, based on a determination that the second identifiermatches the first identifier, while, in other cases, based on adetermination that the user(s) associated with the second identifiermatches the user(s) associated with the first identifier. Method 300, atoptional block 320, might further comprise providing, with the networkdevice and to a user interface of the user device, options for the userto purchase additional bandwidth.

Alternatively, based on a determination (at block 310) that the userdevice is not associated with a first identifier that is associated witha user having network private access to the network through the networkdevice, method 300 might further comprise providing, with the networkdevice, the user device with network public access to the network (block325).

With reference to FIG. 3B, method 300 might further comprise, at block330, receiving, with the network device and from a second user device, arequest for network private access to the network through the networkdevice, the request for network private access comprising authenticationinformation for accessing the network using network private access. Atblock 335, method 300 might comprise authenticating, with the networkdevice, the second user device, in some instances, by authenticating theauthentication information provided in the request for network privateaccess. If the second user device is not authenticated, the processproceeds to block 340, at which method 300 comprises preventing, withthe network device, the second user device from having network privateaccess to the network. On the other hand, if the second user device,which has a third identifier, is authenticated, the process proceeds toblock 345.

At block 345, method 300 might comprise determining, with the networkdevice, whether the third identifier (of the second user device) haspreviously been associated with the user having network private accessto the network through the network device. If not, the process proceedsto block 350, at which method 300 comprises adding, with the networkdevice, the third identifier to a list in the database indicating thethird identifier as being associated with the user having networkprivate access to the network through the network device. Method 300, atblock 355, might comprise providing, with the network device, the seconduser device with network private access to the network. If the thirdidentifier has previously been associated with the user having networkprivate access to the network through the network device, the processskips block 350 and proceeds directed to block 355.

Exemplary System and Hardware Implementation

FIG. 4 is a block diagram illustrating an exemplary computer or systemhardware architecture, in accordance with various embodiments. FIG. 4provides a schematic illustration of one embodiment of a computer system400 of the service provider system hardware that can perform the methodsprovided by various other embodiments, as described herein, and/or canperform the functions of computer or hardware system (i.e., networkdevices 105 a, 105 b, and 210, user devices 110 a-110 n, 120 a-120 n,and 205, and network interface device (“NID”) 155, etc.), as describedabove. It should be noted that FIG. 4 is meant only to provide ageneralized illustration of various components, of which one or more (ornone) of each may be utilized as appropriate. FIG. 4, therefore, broadlyillustrates how individual system elements may be implemented in arelatively separated or relatively more integrated manner.

The computer or hardware system 400—which might represent an embodimentof the computer or hardware system (i.e., network devices 105 a, 105 b,and 210, user devices 110 a-110 n, 120 a-120 n, and 205, and NID 155,etc.), described above with respect to FIGS. 1-3—is shown comprisinghardware elements that can be electrically coupled via a bus 405 (or mayotherwise be in communication, as appropriate). The hardware elementsmay include one or more processors 410, including, without limitation,one or more general-purpose processors and/or one or morespecial-purpose processors (such as microprocessors, digital signalprocessing chips, graphics acceleration processors, and/or the like);one or more input devices 415, which can include, without limitation, amouse, a keyboard and/or the like; and one or more output devices 420,which can include, without limitation, a display device, a printer,and/or the like.

The computer or hardware system 400 may further include (and/or be incommunication with) one or more storage devices 425, which can comprise,without limitation, local and/or network accessible storage, and/or caninclude, without limitation, a disk drive, a drive array, an opticalstorage device, solid-state storage device such as a random accessmemory (“RAM”) and/or a read-only memory (“ROM”), which can beprogrammable, flash-updateable and/or the like. Such storage devices maybe configured to implement any appropriate data stores, including,without limitation, various file systems, database structures, and/orthe like.

The computer or hardware system 400 might also include a communicationssubsystem 430, which can include, without limitation, a modem, a networkcard (wireless or wired), an infra-red communication device, a wirelesscommunication device and/or chipset (such as a Bluetooth™ device, an802.11 device, a WiFi device, a WiMax device, a WWAN device, cellularcommunication facilities, etc.), and/or the like. The communicationssubsystem 430 may permit data to be exchanged with a network (such asthe network described below, to name one example), with other computeror hardware systems, and/or with any other devices described herein. Inmany embodiments, the computer or hardware system 400 will furthercomprise a working memory 435, which can include a RAM or ROM device, asdescribed above.

The computer or hardware system 400 also may comprise software elements,shown as being currently located within the working memory 435,including an operating system 440, device drivers, executable libraries,and/or other code, such as one or more application programs 445, whichmay comprise computer programs provided by various embodiments(including, without limitation, hypervisors, VMs, and the like), and/ormay be designed to implement methods, and/or configure systems, providedby other embodiments, as described herein. Merely by way of example, oneor more procedures described with respect to the method(s) discussedabove might be implemented as code and/or instructions executable by acomputer (and/or a processor within a computer); in an aspect, then,such code and/or instructions can be used to configure and/or adapt ageneral purpose computer (or other device) to perform one or moreoperations in accordance with the described methods.

A set of these instructions and/or code might be encoded and/or storedon a non-transitory computer readable storage medium, such as thestorage device(s) 425 described above. In some cases, the storage mediummight be incorporated within a computer system, such as the system 400.In other embodiments, the storage medium might be separate from acomputer system (i.e., a removable medium, such as a compact disc,etc.), and/or provided in an installation package, such that the storagemedium can be used to program, configure, and/or adapt a general purposecomputer with the instructions/code stored thereon. These instructionsmight take the form of executable code, which is executable by thecomputer or hardware system 400 and/or might take the form of sourceand/or installable code, which, upon compilation and/or installation onthe computer or hardware system 400 (e.g., using any of a variety ofgenerally available compilers, installation programs,compression/decompression utilities, etc.) then takes the form ofexecutable code.

It will be apparent to those skilled in the art that substantialvariations may be made in accordance with specific requirements. Forexample, customized hardware (such as programmable logic controllers,field-programmable gate arrays, application-specific integratedcircuits, and/or the like) might also be used, and/or particularelements might be implemented in hardware, software (including portablesoftware, such as applets, etc.), or both. Further, connection to othercomputing devices such as network input/output devices may be employed.

As mentioned above, in one aspect, some embodiments may employ acomputer or hardware system (such as the computer or hardware system400) to perform methods in accordance with various embodiments of theinvention. According to a set of embodiments, some or all of theprocedures of such methods are performed by the computer or hardwaresystem 400 in response to processor 410 executing one or more sequencesof one or more instructions (which might be incorporated into theoperating system 440 and/or other code, such as an application program445) contained in the working memory 435. Such instructions may be readinto the working memory 435 from another computer readable medium, suchas one or more of the storage device(s) 425. Merely by way of example,execution of the sequences of instructions contained in the workingmemory 435 might cause the processor(s) 410 to perform one or moreprocedures of the methods described herein.

The terms “machine readable medium” and “computer readable medium,” asused herein, refer to any medium that participates in providing datathat causes a machine to operate in a specific fashion. In an embodimentimplemented using the computer or hardware system 400, various computerreadable media might be involved in providing instructions/code toprocessor(s) 410 for execution and/or might be used to store and/orcarry such instructions/code (e.g., as signals). In manyimplementations, a computer readable medium is a non-transitory,physical, and/or tangible storage medium. In some embodiments, acomputer readable medium may take many forms, including, but not limitedto, non-volatile media, volatile media, or the like. Non-volatile mediaincludes, for example, optical and/or magnetic disks, such as thestorage device(s) 425. Volatile media includes, without limitation,dynamic memory, such as the working memory 435. In some alternativeembodiments, a computer readable medium may take the form oftransmission media, which includes, without limitation, coaxial cables,copper wire and fiber optics, including the wires that comprise the bus405, as well as the various components of the communication subsystem430 (and/or the media by which the communications subsystem 430 providescommunication with other devices). In an alternative set of embodiments,transmission media can also take the form of waves (including withoutlimitation radio, acoustic and/or light waves, such as those generatedduring radio-wave and infra-red data communications).

Common forms of physical and/or tangible computer readable mediainclude, for example, a floppy disk, a flexible disk, a hard disk,magnetic tape, or any other magnetic medium, a CD-ROM, any other opticalmedium, punch cards, paper tape, any other physical medium with patternsof holes, a RAM, a PROM, and EPROM, a FLASH-EPROM, any other memory chipor cartridge, a carrier wave as described hereinafter, or any othermedium from which a computer can read instructions and/or code.

Various forms of computer readable media may be involved in carrying oneor more sequences of one or more instructions to the processor(s) 410for execution. Merely by way of example, the instructions may initiallybe carried on a magnetic disk and/or optical disc of a remote computer.A remote computer might load the instructions into its dynamic memoryand send the instructions as signals over a transmission medium to bereceived and/or executed by the computer or hardware system 400. Thesesignals, which might be in the form of electromagnetic signals, acousticsignals, optical signals, and/or the like, are all examples of carrierwaves on which instructions can be encoded, in accordance with variousembodiments of the invention.

The communications subsystem 430 (and/or components thereof) generallywill receive the signals, and the bus 405 then might carry the signals(and/or the data, instructions, etc. carried by the signals) to theworking memory 435, from which the processor(s) 405 retrieves andexecutes the instructions. The instructions received by the workingmemory 435 may optionally be stored on a storage device 425 eitherbefore or after execution by the processor(s) 410.

As noted above, a set of embodiments comprises methods and systems forimplementing network access configurations, and, more particularly, tomethods, systems, and apparatuses for implementing restricted Wi-Fiaccess configuration between public and private service set identifiers(“SSIDs”). FIG. 5 illustrates a schematic diagram of a system 500 thatcan be used in accordance with one set of embodiments. The system 500can include one or more user computers, user devices, or customerdevices 505. A user computer, user device, or customer device 505 can bea general purpose personal computer (including, merely by way ofexample, desktop computers, tablet computers, laptop computers, handheldcomputers, and the like, running any appropriate operating system,several of which are available from vendors such as Apple, MicrosoftCorp., and the like), cloud computing devices, a server(s), and/or aworkstation computer(s) running any of a variety ofcommercially-available UNIX™ or UNIX-like operating systems. A usercomputer, user device, or customer device 505 can also have any of avariety of applications, including one or more applications configuredto perform methods provided by various embodiments (as described above,for example), as well as one or more office applications, databaseclient and/or server applications, and/or web browser applications.Alternatively, a user computer, user device, or customer device 505 canbe any other electronic device, such as a thin-client computer,Internet-enabled mobile telephone, and/or personal digital assistant,capable of communicating via a network (e.g., the network(s) 510described below) and/or of displaying and navigating web pages or othertypes of electronic documents. Although the exemplary system 500 isshown with two user computers, user devices, or customer devices 505,any number of user computers, user devices, or customer devices can besupported.

Certain embodiments operate in a networked environment, which caninclude a network(s) 510. The network(s) 510 can be any type of networkfamiliar to those skilled in the art that can support datacommunications using any of a variety of commercially-available (and/orfree or proprietary) protocols, including, without limitation, TCP/IP,SNA™, IPX™, AppleTalk™, and the like. Merely by way of example, thenetwork(s) 510 (similar to network(s) 130 and 140 of FIG. 1 ornetwork(s) 220 of FIG. 2, or the like) can each include a local areanetwork (“LAN”), including, without limitation, a fiber network, anEthernet network, a Token-Ring™ network and/or the like; a wide-areanetwork (“WAN”); a wireless wide area network (“WWAN”); a virtualnetwork, such as a virtual private network (“VPN”); the Internet; anintranet; an extranet; a public switched telephone network (“PSTN”); aninfra-red network; a wireless network, including, without limitation, anetwork operating under any of the IEEE 802.11 suite of protocols, theBluetooth™ protocol known in the art, and/or any other wirelessprotocol; and/or any combination of these and/or other networks. In aparticular embodiment, the network might include an access network ofthe service provider (e.g., an Internet service provider (“ISP”)). Inanother embodiment, the network might include a core network of theservice provider, and/or the Internet.

Embodiments can also include one or more server computers 515. Each ofthe server computers 515 may be configured with an operating system,including, without limitation, any of those discussed above, as well asany commercially (or freely) available server operating systems. Each ofthe servers 515 may also be running one or more applications, which canbe configured to provide services to one or more clients 505 and/orother servers 515.

Merely by way of example, one of the servers 515 might be a data server,a web server, a cloud computing device(s), or the like, as describedabove. The data server might include (or be in communication with) a webserver, which can be used, merely by way of example, to process requestsfor web pages or other electronic documents from user computers 505. Theweb server can also run a variety of server applications, including HTTPservers, FTP servers, CGI servers, database servers, Java servers, andthe like. In some embodiments of the invention, the web server may beconfigured to serve web pages that can be operated within a web browseron one or more of the user computers 505 to perform methods of theinvention.

The server computers 515, in some embodiments, might include one or moreapplication servers, which can be configured with one or moreapplications accessible by a client running on one or more of the clientcomputers 505 and/or other servers 515. Merely by way of example, theserver(s) 515 can be one or more general purpose computers capable ofexecuting programs or scripts in response to the user computers 505and/or other servers 515, including, without limitation, webapplications (which might, in some cases, be configured to performmethods provided by various embodiments). Merely by way of example, aweb application can be implemented as one or more scripts or programswritten in any suitable programming language, such as Java™, C, C#™ orC++, and/or any scripting language, such as Perl, Python, or TCL, aswell as combinations of any programming and/or scripting languages. Theapplication server(s) can also include database servers, including,without limitation, those commercially available from Oracle™,Microsoft™, Sybase™, IBM™, and the like, which can process requests fromclients (including, depending on the configuration, dedicated databaseclients, API clients, web browsers, etc.) running on a user computer,user device, or customer device 505 and/or another server 515. In someembodiments, an application server can perform one or more of theprocesses for implementing network access configurations, and, moreparticularly, to methods, systems, and apparatuses for implementingrestricted Wi-Fi access configuration between public and private serviceset identifiers (“SSIDs”), as described in detail above. Data providedby an application server may be formatted as one or more web pages(comprising HTML, JavaScript, etc., for example) and/or may be forwardedto a user computer 505 via a web server (as described above, forexample). Similarly, a web server might receive web page requests and/orinput data from a user computer 505 and/or forward the web page requestsand/or input data to an application server. In some cases, a web servermay be integrated with an application server.

In accordance with further embodiments, one or more servers 515 canfunction as a file server and/or can include one or more of the files(e.g., application code, data files, etc.) necessary to implementvarious disclosed methods, incorporated by an application running on auser computer 505 and/or another server 515. Alternatively, as thoseskilled in the art will appreciate, a file server can include allnecessary files, allowing such an application to be invoked remotely bya user computer, user device, or customer device 505 and/or server 515.

It should be noted that the functions described with respect to variousservers herein (e.g., application server, database server, web server,file server, etc.) can be performed by a single server and/or aplurality of specialized servers, depending on implementation-specificneeds and parameters.

In certain embodiments, the system can include one or more databases 520a-520 n (collectively, “databases 520”). The location of each of thedatabases 520 is discretionary: merely by way of example, a database 520a might reside on a storage medium local to (and/or resident in) aserver 515 a (and/or a user computer, user device, or customer device505). Alternatively, a database 520 n can be remote from any or all ofthe computers 505, 515, so long as it can be in communication (e.g., viathe network(s) 510) with one or more of these. In a particular set ofembodiments, a database 520 can reside in a storage-area network (“SAN”)familiar to those skilled in the art. (Likewise, any necessary files forperforming the functions attributed to the computers 505, 515 can bestored locally on the respective computer and/or remotely, asappropriate.) In one set of embodiments, the database 520 can be arelational database, such as an Oracle database, that is adapted tostore, update, and retrieve data in response to SQL-formatted commands.The database might be controlled and/or maintained by a database server,as described above, for example.

According to some embodiments, system 500 might further comprise anetwork device 525 (similar to network devices 105 a, 105 b, and 210 ofFIGS. 1A, 1B, and 2, or the like), database(s) 530 (similar todatabase(s) 125 a, 125 b, and 215 of FIGS. 1A, 1B, and 2, or the like),one or more user devices 535 a-535 n (similar to user devices 110 a-110n, 120 a-120 n, and 205 of FIGS. 1A, 1B, and 2, or the like), a networkprivate access path 540 (similar to network private access path 145 and225 of FIGS. 1 and 2, or the like), and a network public access path 545(similar to network private access path 150 and 230 of FIGS. 1 and 2, orthe like).

In operation, a user might request public network access using a userdevice (i.e., one of user device 505 a, 505 b, or 535 a-535 n). Thenetwork device 525, which is in communication with the user device—viawired communication (as shown by the line connection in FIG. 6) orwireless communication (as shown by the lightning bolt symbols in FIG.6)—, might receive the request for public network access from the userdevice. The network device 525 might determine whether the user deviceis associated with a first identifier that is associated with a userhaving network private access to the network through the network device.If not, the network device 525 might provide the user device withnetwork public access, via network public access path 545, to network(s)510. If so, the network device 525 might prevent the user device fromhaving network public access to the network(s) 510.

These and other functions of the system 500 (and its components) aredescribed in greater detail above with respect to FIGS. 1-3.

While certain features and aspects have been described with respect toexemplary embodiments, one skilled in the art will recognize thatnumerous modifications are possible. For example, the methods andprocesses described herein may be implemented using hardware components,software components, and/or any combination thereof. Further, whilevarious methods and processes described herein may be described withrespect to particular structural and/or functional components for easeof description, methods provided by various embodiments are not limitedto any particular structural and/or functional architecture but insteadcan be implemented on any suitable hardware, firmware and/or softwareconfiguration. Similarly, while certain functionality is ascribed tocertain system components, unless the context dictates otherwise, thisfunctionality can be distributed among various other system componentsin accordance with the several embodiments.

Moreover, while the procedures of the methods and processes describedherein are described in a particular order for ease of description,unless the context dictates otherwise, various procedures may bereordered, added, and/or omitted in accordance with various embodiments.Moreover, the procedures described with respect to one method or processmay be incorporated within other described methods or processes;likewise, system components described according to a particularstructural architecture and/or with respect to one system may beorganized in alternative structural architectures and/or incorporatedwithin other described systems. Hence, while various embodiments aredescribed with—or without—certain features for ease of description andto illustrate exemplary aspects of those embodiments, the variouscomponents and/or features described herein with respect to a particularembodiment can be substituted, added and/or subtracted from among otherdescribed embodiments, unless the context dictates otherwise.Consequently, although several exemplary embodiments are describedabove, it will be appreciated that the invention is intended to coverall modifications and equivalents within the scope of the followingclaims.

What is claimed is:
 1. A method, comprising: receiving, with a networkdevice and from a user device, a request for network public access to anetwork through the network device; determining, with the networkdevice, whether the user device is associated with a first identifierthat is associated with a user having network private access to thenetwork through the network device; and based on a determination thatthe user device is associated with a first identifier that is associatedwith a user having network private access to the network through thenetwork device, preventing, with the network device, the user devicefrom having network public access to the network.
 2. The method of claim1, wherein the first identifier comprises a media access control (“MAC”)address.
 3. The method of claim 1, wherein the first identifiercomprises a service set identifier (“SSID”).
 4. The method of claim 1,wherein the network device comprises at least one of a modem, a gatewaydevice, a network switch, or a network router.
 5. The method of claim 1,wherein the user device has a second identifier, wherein determiningwhether the user device is associated with the first identifier that isassociated with a user having network private access to the networkthrough the network device comprises: accessing, with the networkdevice, a database containing a list of identifiers; and comparing, withthe network device, the second identifier with the first identifier. 6.The method of claim 5, preventing the user device from having networkpublic access to the network comprises preventing, with the networkdevice, the user device from having network public access to thenetwork, based on a determination that the second identifier matches thefirst identifier.
 7. The method of claim 5, preventing the user devicefrom having network public access to the network comprises preventing,with the network device, the user device from having network publicaccess to the network, based on a determination that a user associatedwith the second identifier matches a user associated with the firstidentifier.
 8. The method of claim 1, further comprising: further inresponse to receiving the request and further based on the determinationthat the user device is associated with the first identifier, providing,with the network device and to a user interface of the user device,options for the user to purchase additional bandwidth.
 9. The method ofclaim 1, further comprising: receiving, with the network device and froma second user device, a request for network private access to thenetwork through the network device, the request for network privateaccess comprising authentication information for accessing the networkusing network private access; authenticating, with the network device,the second user device by authenticating the authentication informationprovided in the request for network private access, wherein the seconduser device has a third identifier; in response to the second userdevice being authenticated, determining, with the network device,whether the third identifier has previously been associated with theuser having network private access to the network through the networkdevice; and based on a determination that the third identifier has notpreviously been associated with the user having network private accessto the network through the network device, adding, with the networkdevice, the third identifier to a list in a database indicating thethird identifier as being associated with the user having networkprivate access to the network through the network device.
 10. A networkdevice, comprising: at least one processor; and a non-transitorycomputer readable medium communicatively coupled to the at least oneprocessor, the non-transitory computer readable medium having storedthereon computer software comprising a set of instructions that, whenexecuted by the at least one processor, causes the network device to:receive, from a user device, a request for network public access to anetwork through the network device; determine whether the user device isassociated with a first identifier that is associated with a user havingnetwork private access to the network through the network device; andbased on a determination that the user device is associated with a firstidentifier that is associated with a user having network private accessto the network through the network device, prevent the user device fromhaving network public access to the network.
 11. The network device ofclaim 10, wherein the first identifier comprises a media access control(“MAC”) address.
 12. The network device of claim 10, wherein the firstidentifier comprises a service set identifier (“SSID”).
 13. The networkdevice of claim 10, wherein the network device comprises at least one ofa modem, a gateway device, a network switch, or a network router. 14.The network device of claim 10, wherein the user device has a secondidentifier, wherein determining whether the user device is associatedwith the first identifier that is associated with a user having networkprivate access to the network through the network device comprises:accessing a database containing a list of identifiers; and comparing thesecond identifier with the first identifier.
 15. The network device ofclaim 14, wherein preventing the user device from having network publicaccess to the network comprises preventing the user device from havingnetwork public access to the network, based on a determination that thesecond identifier matches the first identifier.
 16. The network deviceof claim 10, wherein the set of instructions, when executed by the atleast one processor, further causes the network device to: further inresponse to receiving the request and further based on the determinationthat the user device is associated with the first identifier, provide,to a user interface of the user device, options for the user to purchaseadditional bandwidth.
 17. The network device of claim 10, wherein theset of instructions, when executed by the at least one processor,further causes the network device to: receive, from a second userdevice, a request for network private access to the network through thenetwork device, the request for network private access comprisingauthentication information for accessing the network using networkprivate access; authenticate the second user device by authenticatingthe authentication information provided in the request for networkprivate access, wherein the second user device has a third identifier;in response to the second user device being authenticated, determinewhether the third identifier has previously been associated with theuser having network private access to the network through the networkdevice; and based on a determination that the third identifier has notpreviously been associated with the user having network private accessto the network through the network device, add the third identifier to alist in a database indicating the third identifier as being associatedwith the user having network private access to the network through thenetwork device.
 18. A system, comprising: a network device, comprising:at least one processor; and a non-transitory computer readable mediumcommunicatively coupled to the at least one processor, thenon-transitory computer readable medium having stored thereon computersoftware comprising a set of instructions that, when executed by the atleast one processor, causes the network device to: receive, from a userdevice, a request for network public access to a network through thenetwork device; determine whether the user device is associated with afirst identifier that is associated with a user having network privateaccess to the network through the network device; and based on adetermination that the user device is associated with a first identifierthat is associated with a user having network private access to thenetwork through the network device, prevent the user device from havingnetwork public access to the network.
 19. The system of claim 18,wherein the first identifier comprises a media access control (“MAC”)address.
 20. The system of claim 18, wherein the first identifiercomprises a service set identifier (“SSID”).
 21. The system of claim 18,wherein the network device comprises at least one of a modem, a gatewaydevice, a network switch, or a network router.
 22. The system of claim18, wherein the user device has a second identifier, wherein determiningwhether the user device is associated with the first identifier that isassociated with a user having network private access to the networkthrough the network device comprises: accessing a database containing alist of identifiers; and comparing the second identifier with the firstidentifier.
 23. The system of claim 22, wherein preventing the userdevice from having network public access to the network comprisespreventing the user device from having network public access to thenetwork, based on a determination the second identifier matches thefirst identifier.
 24. The system of claim 18, wherein the set ofinstructions, when executed by the at least one processor, furthercauses the network device to: further in response to receiving therequest and further based on the determination that the user device isassociated with the first identifier, provide, to a user interface ofthe user device, options for the user to purchase additional bandwidth.25. The system of claim 18, wherein the set of instructions, whenexecuted by the at least one processor, further causes the networkdevice to: receive, from a second user device, a request for networkprivate access to the network through the network device, the requestfor network private access comprising authentication information foraccessing the network using network private access; authenticate thesecond user device by authenticating the authentication informationprovided in the request for network private access, wherein the seconduser device has a third identifier; in response to the second userdevice being authenticated, determine whether the third identifier haspreviously been associated with the user having network private accessto the network through the network device; and based on a determinationthat the third identifier has not previously been associated with theuser having network private access to the network through the networkdevice, add the third identifier to a list in a database indicating thethird identifier as being associated with the user having networkprivate access to the network through the network device.